Re: Linux/*nix open source IDS

[Matt.Carpenter () alticor com]

Snort is my personal favorite.  It is capable of both HIDS and NIDS, with 
signature updates reasonably easily pulled and applied.  But it is very 
different in nature from Tripwire.  AFAIK Tripwire is more a "System File 
IDS" which creates a hash of files and compares to check for differences. 
Snort watches for bad traffic, and then either alerts or takes other 
actions, which allows it to act as an IDP solution of sorts.  Definitely 
not as beautiful as a GUI from some vendor like NetScreen, but there are 
those available as well. 




Hello,

I am interested in implementing an open source IDS for a Linux/*nix 
system and have been looking into various different ones and the 
sort of critiques they have received. Some of the products I am 
considering are Tripwire, AIDE, Samhain, Integrit, and Osiris. 
Because I had not been able to find very much commentary about 
such packages (except for Tripwire), I would like to ask what 
sort of experiences anyone has had with them and how they compare 
with one another. Alternatively, if you can point me to where I can 
find such information, that would also be much appreciated.

Since the choice of an IDS depends on the system it is used to 
monitor, I should say I am presently just looking for something 
to protect my stand-alone Linux box, but I would like to learn 
what works for larger systems running any sort of *nix.





---------------------------------------------------------------------------
Captus Networks - Integrated Intrusion Prevention and Traffic Shaping  
 - Instantly Stop DoS/DDoS Attacks, Worms & Port Scans
 - Automatically Control P2P, IM and Spam Traffic
 - Ensure Reliable Performance of Mission Critical Applications
Precisely Define and Implement Network Security and Performance Policies
**FREE Vulnerability Assessment Toolkit - WhitePapers - Live Demo
Visit us at: http://www.captusnetworks.com/ads/31.htm
---------------------------------------------------------------------------